Brute Force Vulnerability in Argo CD Could Allow Attackers to Bypass Rate Limits and Target Default Admin Account
CVE-2024-21662

9.1CRITICAL

Key Information:

Vendor: Argoproj
Status: Argo-cd
Vendor: CVE Published:; 18 March 2024

What is CVE-2024-21662?

Argo CD, a declarative GitOps continuous delivery tool for Kubernetes, presents a security vulnerability that allows malicious actors to bypass implemented rate limit and brute force protections. This exploit leverages a weak cache mechanism that tracks user login attempts but is constrained to a maximum cache size of 1000 entries. By overwhelming this cache with login attempts for different users, attackers can effectively purge the failed attempts of the default admin account, thereby resetting the rate limit and facilitating accelerated brute force attacks. This vulnerability builds upon an existing flaw associated with prior security measures designed to mitigate such attacks. Immediate upgrades to versions 2.8.13, 2.9.9, or 2.10.4 are recommended to rectify this security issue.

Affected Version(s)

argo-cd < 2.8.13 < 2.8.13

argo-cd >= 2.9.0, < 2.9.9 < 2.9.0, 2.9.9

argo-cd >= 2.10.0, < 2.10.4 < 2.10.0, 2.10.4

References

https://github.com/argoproj/argo-cd/security/advisories/G...

x_refsource_CONFIRM

https://github.com/argoproj/argo-cd/commit/17b0df1168a4c5...

x_refsource_MISC

https://github.com/argoproj/argo-cd/commit/6e181d72b31522...

x_refsource_MISC

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 18, 2024
Vulnerability Reserved
Dec 29, 2023

Argoproj

What is CVE-2024-21662?

Affected Version(s)

References

CVSS V3.1

Timeline